cve-bin-tool icon indicating copy to clipboard operation
cve-bin-tool copied to clipboard

Published 20 hours ago verified publisher icon intel

SBOM parsing library: https://github.com/spdx/tools-python

Open terriko opened this issue 4 years ago • 1 comments

There's an official SPDX parser that might yield more robust parsing if we need it: https://github.com/spdx/tools-python

This was feedback from someone on our licensing team who got interested in the content of @anthonyharrison 's PR when I asked to make sure that copyright lines didn't have to say "Intel" on them. They weren't sure we'd need robust parsing for what we're doing, but I wanted to put it in the issue tracker in case we wind up wanting to do more complicated things with the SBOM later.

terriko avatar Oct 13 '21 17:10 terriko

@terriko Yes I am aware of these tools but when I looked at them they didn't work for SPDX v2.2 files (certainly the version in PyPi). Will keep a watch on them and it should hopefully be a relatively simple refactor (I hope!) to swap the current simple parsers with the official SPDX parsers when ready.

The current parsers all parse against copies of the SPDX test files https://github.com/spdx/spdx-spec/tree/development/v2.2.2/examples

anthonyharrison avatar Oct 13 '21 18:10 anthonyharrison

Marking as blocked per @anthonyharrison 's suggestion. His notes say "Python library being rewritten"

terriko avatar Oct 25 '22 21:10 terriko

SPDX files up to v2.3 now work for the official SPDX parser @terriko I don't know if we still need this but just thought of pointing it out :)

DangerChamp avatar Dec 17 '22 23:12 DangerChamp

@DangerChamp Thanks! I think I can mark this as unblocked then, though I don't know when/if it's going to get integrated.

terriko avatar Dec 19 '22 18:12 terriko

I don't think it is fully complete yet as I think the library only works with JSON, YAML and TagValue documents currently.

Cve-bin-tool parser already works with all types of SPDX 2.3 documents including the experimental XML format.

The transition to SPDX v3.0 is scheduled for 2023 but it is a very different format so I suggest we wait until this is better defined before we plan to migrate.

On Mon, 19 Dec 2022, 18:01 Terri Oda, @.***> wrote:

@DangerChamp https://github.com/DangerChamp Thanks! I think I can mark this as unblocked then, though I don't know when/if it's going to get integrated.

— Reply to this email directly, view it on GitHub https://github.com/intel/cve-bin-tool/issues/1382#issuecomment-1358034363, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACAID26HP2E4OYCRO3KVSWTWOCPF3ANCNFSM5F5XQKUA . You are receiving this because you were mentioned.Message ID: @.***>

anthonyharrison avatar Dec 19 '22 18:12 anthonyharrison

Yeah, I think it's safe to say that it's probably unblocked as far as "we could try this out now for the formats it supports" but it's going to be pretty low priority unless someone's bored.

terriko avatar Dec 19 '22 18:12 terriko

Latest update is that the Python tools for SPDX is about to be refactored to prepare for SPDX 3.0. Might be worth waiting until that is complete.

anthonyharrison avatar Mar 09 '23 16:03 anthonyharrison

We've got good enough SPDX parsing through Anthony's tools at this point, I'm going to close this as unnecessary.

terriko avatar Apr 17 '24 21:04 terriko